About the live stream

Who may be interested in watching the training live stream?

Live stream is aimed at educating top-level management, non-technical specialists and everyone who wants to learn more about cybersecurity.

Do I need to register on the website to watch the live stream?

No, the live stream can be viewed by anyone without registration. Sign up for news updates and add the event to your calendar.

How long will the live stream go on for? What will it include?

The live stream will start at 12:00 p.m. (UTC+3) and is expected to run until 4:30 p.m. The agenda includes interviews and discussions with globally renowned experts from the World Economic Forum, INTERPOL, ICANN and tech corporations. The speakers will address the latest technology trends and cyberthreats associated with these technologies, they will also analyse different types of attacks and share tips on how to prevent and mitigate their consequences.

Where and when can I watch the live stream?

The event will be streamed to the main page of cyberpolygon.com on 8 July 2020.

Will the video be available afterwards?

The full video of the training will be available after the event on the Gallery page.

The online training was developed for companies where cybersecurity is not the key business activity and which seek to develop the skills of their internal team of specialists. Training would not be relevant for expert cybersecurity organisations. We invite representatives of cybersecurity companies to watch the live stream.

About the technical training

Who is this training for?

Cyber Polygon is aimed at developing skills of IT and cybersecurity specialists. We invite technical teams from organisations to participate.

The online exercise is designed for companies where cybersecurity is not a core business, but who seek to develop professional skills of their internal teams. The training would not be relevant for specialised cybersecurity organisations, though they are very welcome to watch the live stream.

Do I need to go anywhere to participate in the training?

No, participants can join the training from anywhere in the world. All tasks will be performed remotely: teams will be provided with access to a virtual cloud infrastructure.

How to prepare for the training? Will any additional resources be required?

Participation in Cyber Polygon requires no additional resources. In order to better prepare for the training, we suggest reading a series of articles on the Materials page: this will help to get an overview on topics related to the scenarios of the training.

When will access to the virtual cloud infrastructure be provided?

Participants will gain access to the infrastructure of the first scenario at 11:30 a.m. (UTC+3). So, they will have 30 minutes before the first scenario is launched. The access to the infrastructure of the second scenario will be given together with its start at 1:30 p.m.

Do I need to install any software to connect to the cloud infrastructure?

Each team member needs to install the OpenVPN client. An installation and setup guide will be emailed to the registered participants. Better check beforehand that OpenVPN is not blocked by the corporate security rules.

How many participants can connect via VPN at any one time?

Each team will have a dedicated OpenVPN account, which does not limit the number of simultaneous connections. However, the recommended limit would be 10 connections at a time.

What is the duration of training?

The training will last from 12:00 p.m. until 5:30 p.m. (UTC+3).

How to become a participant?

If you are interested in taking part in the training, please fill out the form on the website or send your application to cyberpolygon@bi.zone.

What is the limit to the size of the team?

Number of specialists in a team is not limited.

What kind of specialists are good for the team?

The technical training is designed for all kinds of cybersecurity and IT professionals. The best arrangement would include forensics experts, cybersecurity analysts, as well as SOC operators.

Can a team not affiliated with any organisation take part in the training?

No, training participation is open strictly to organisations.

How many teams can represent one organisation?

Only one team to an organisation.

How many organisations can take part in the training?

The number is not limited. Any organisation interested will be able to participate in Cyber Polygon.

Could an organisation join the exercise as a Red Team?

No. All participants take the side of Blue Team and work on protecting their segments of the training infrastructure against the Red Team which is represented by the organisers (BI.ZONE).

Will the teams receive any instructions on what needs to be done to solve a particular task?

In your profile you will find:

  • scenario rules
  • description of tasks within each scenario
  • hints and additional materials on the topic

With the help of these materials, participants are expected to understand how to cope with the tasks by themselves.

Will the teams receive any technical support during the exercise?

Yes, they will be able to submit their questions via Telegram at @CyberPolygon_TechSupport.

About scenario 1. Defence

Does Blue Team have a list of vulnerabilities similar to that of Red Team (according to the scenario legend)?

Blue Team will not have a list of vulnerabilities. Participants should independently analyse the service code and network activity of Red Team and determine which vectors of attack Red Team is using.

Are the participants allowed to change the code, and if so, how can it be released?

Blue Teams have full access to their virtual infrastructure segment and are free to make any changes to the service code or configuration. The service is implemented through scripted programming, so a reassembly of the application is not required.

How can the service code be changed?

All changes are made directly on the Blue Team virtual infrastructure ’combat’ system.

How is the service performance monitored? What are the accessibility criteria (port availability, response code, accessibility of a page with specific text)?

The service must function as intended by the developer. If there is a registration page, the user must be able to register successfully with the correct set of input parameters. If there is an intended messaging feature, messages must send correctly. If there is a file upload form, files of permitted format and size must load to the server successfully.

The application functionality is fully tested: if at least one component does not function properly (for example, Blue Team removed API endpoint for uploading files), the service will be rendered unavailable.


Files can be uploaded to the server through the API endpoint /upload. An attacker can upload a file with the .php extension and execute arbitrary code on the server.

Correct solution: add filtering by type of uploaded files (prohibit uploading files with the extensions .php, .php3, .php5, .phtml). In this case, legitimate files (for example, pictures) will be uploaded to the server, and the service will not be marked as unavailable.

Wrong solution: disable the API endpoint. In this case, legitimate files (for example, pictures) will not be uploaded to the server, and the service will be marked as unavailable.

In order to determine which functionality is legitimate and what changes will affect service performance, we recommend following sound logic. :)

Does Blue Team initially know the total amount of confidential information and thus assess the severity of the leak?

The so-called ‘flags’ represent confidential data. Flags are updated every five minutes. The more flags Red Team was able to steal, the greater the leak of confidential data.

How much time does Blue Team have to install and configure their security tools? Is Blue Team given a handicap for fixing vulnerabilities?

We give participants 30 minutes to prepare before the start of a scenario.

Is it allowed to use packet filtering (firewall) — for example, to block the attacker’s IP address?

Packet filtering is permitted. It is also possible to block the attacker’s IP address, but this will render the service unavailable, since at the network level the checker traffic (which can be considered as legitimate user traffic) and the attacker traffic are indistinguishable (both even have the same IP address). In this situation, Blue Team will lose SLA points, but keep HPs. Thus, with the right approach, blocking the attacker IP address can improve the final result of Blue Team.

Is it allowed to carry out DoS/DDoS attacks on infrastructure and services?

DoS/DDoS attacks on the infrastructures of either the organisers or other participants are strictly prohibited and can end in a zero-result for the task. Red Team will not be using DoS/DDoS as an attack method.

Does the amount of lost confidential data have an effect on the results of the first scenario?

A leak of confidential data will lead to a loss of HP, which according to the SLA x HP formula, will result in a decrease of the total number of points received for the task.

How is service availability controlled during an attack?

Red Team will not carry out attacks that may affect service availability. The availability of the services may only be affected by the actions of Blue Team (for example, misconfigurations of the security assets or incorrect changes to the service code).

About scenario 2. Response

Do the participants receive a short guide or a demo of the Threat Hunting platform?

The platform will be built using free Elasticsearch and Kibana products, so no special instructions are needed. It is enough to be able to make search requests in Kibana interface and analyse the results. If you do not have such experience, we recommend trying to utilise these products before the event.

Will EDR be constantly collecting telemetry from the hosts and sending it to Threat Hunting platform during the scenario?

No, there won’t be any telemetry collection. All the data from EDR will be uploaded to Threat Hunting platform in advance, before the training starts.

Is there any retribution for wrong answers? Is the number of attempts to solve the task limited?

Participants are not penalised for giving wrong answers. The teams will have 5 attempts to answer each question. If a team is not able to give the correct answer 5 times, the task is withdrawn.

If all Blue Teams start off with the same points (e.g. 200). Each hint is worth, say, 40 points. If the task is solved without any hints, the full 200 points are awarded. But if the hints do get used, do the deducted points then correspond with the value of each hint?

All Blue Teams start off with 0 points. Correct answers add the points for the question to the total scoring. If hints have been used, the points for the question are added, minus the deductibles.

Are the hints opened in order or at random?

The hints can be only opened in order. For example, Blue Team solves all the tasks without turning to the hints and gets stuck on the final problem — by using the hint for the final problem, Blue Team loses all rewards for that question.